Submit your essay to the AI-Cybersecurity Essay Prize Competition by January 2, 2025.
The AI-Cybersecurity Essay Prize Competition

Pell Mell or Pas Mal? Governing commercial cyber intrusion capabilities

Binding Hook Managing Editor James Shires puts forward principles for how states should govern cyber-intrusion technologies
Main Top Image
Image created using Chat GPT-4o

On 16 October, the European Commission finally released guidelines for exporting ‘cyber-surveillance’ technologies under the EU’s 2021 Dual-Use Regulation. Defining which cyber-surveillance technology ought to be controlled is a challenging task for states, be it for national security, human rights, or other reasons. The new guidelines offer a detailed interpretation of specific terms in the Dual-Use Regulation, including ‘specially designed’, ‘intended for’ and ‘aware’. As these terms suggest, the crux of the challenge in cyber-surveillance policies is determining the extent of responsibility held by different actors involved in the development, sale, and use of cyber-surveillance technologies for any negative consequences that may arise.

One notable effort to define responsibility in this space comes from the ‘Pall Mall Process’, a multistakeholder initiative launched by two European states – France and the UK – in early 2024.  EU regulation focuses broadly on all kinds of cyber-surveillance items, but the Pall Mall Process examines only commercial cyber intrusion capabilities – in other words, hacking tools with a price tag. Just before the EU guidelines were published, the Pall Mall Process closed a three-month consultation inviting states, industry representatives, academia, and civil society to share their views of responsible behaviour.

As an independent contribution on the issues tackled by the Pall Mall Process, I co-authored reports on behalf of the European Cyber Conflict Research Incubator (ECCRI CIC), the Royal United Services Institute (RUSI), and Chatham House, funded by the UK Foreign, Commonwealth, and Development Office (FCDO). The RUSI paper identifies how states facilitate the expansion of markets for commercial cyber intrusion capabilities, while the Chatham House report suggests market governance principles. In this article, I draw on the latter to explain how these principles can propel the policy debate forward without hurtling ‘pell-mell’ towards overregulation or settling for the ‘pas mal’ – ‘least worst’, in questionable French – option.

Back to basics

Cyber intrusion is the ability to access and manipulate a digital device, system, or network remotely without authorisation. Intrusion capabilities are now commercially available to both state and non-state actors. They are a double-edged sword. Crucial to digital defences, statecraft, and military power, cyber intrusion capabilities are also a troubling new vector for cybercrime. Alarmingly, states frequently use such capabilities in ways that violate international human rights law and undermine norms of responsible state behaviour in cyberspace.

Fundamental to intrusion technology governance is defining what use of these capabilities is ‘legitimate’ and what is ‘illegitimate’. Many commentators call commercial cyber intrusion capabilities ‘dual use’ because they can be used for both. For example, vulnerability researchers could just as easily sell their findings to both responsible and malicious actors, while a malware framework intended for penetration testing could be repurposed for cybercrime. 

However, the ‘dual-use’ label is unhelpful, not least because there is extensive disagreement about what counts as a legitimate use, as Lena Riecke has explained. Governments often authorise cyber intrusions, even if they conflict with international law and norms. Consequently, civil society, governments, and the cybersecurity industry tend to talk past one another. What some see as a clear malicious hack, others see as a legitimate state intelligence operation.

From dual-use to permissioned use

We can avoid most of the challenges of the ‘dual-use’ framework by instead distinguishing between ‘permissioned’ and ‘unpermissioned’ intrusion. Permissioned intrusion happens with the permission of either the user, the owner, or the operator of a targeted device, system, or network. One example is ‘red-teaming’, which involves thinking or acting as a cyber attacker, or ‘red team’, to better understand potential weaknesses. Another is penetration testing, where a contracted professional tests an organisation’s cybersecurity as if they were an attacker.

In contrast, unpermissioned intrusion occurs without the consent of the user, owner, or operator. Unpermissioned intrusion deliberately encompasses a wide range of activities: thieves employing ransomware, corporations snooping on their competitors, governments spying on journalists and political activists, or law enforcement tackling cybercrime and disrupting terrorist networks.

As a pair, the terms ‘permissioned’ and ‘unpermissioned’ are useful precisely because they are not already prevalent. ‘Permit’ or ‘authorisation’ are frequently used by law enforcement or intelligence agencies to refer to receiving a warrant from a minister or judge. Using new terms lessens the risk of introducing confusion regarding legitimacy between government warrants on the one hand and owner, operator, and user permission on the other.

Instead of debating the legitimacy of the technology’s use, this distinction protects permissioned uses from tougher interventions, such as export controls, intended to prevent such capabilities from being misused or falling into the wrong hands. Previous state attempts to control intrusion software exports failed because they unintentionally also captured permissioned uses, creating opposition that delayed and weakened legislation. 

This distinction between ‘permissioned’ and ‘unpermissioned’ places ‘responsible’ cyber intrusion – for example, its necessary and proportionate use in an urgent counter-terror investigation – in the same conceptual framework as cybercrime and blatant abuses of government surveillance powers. This may be an uncomfortable conclusion for many in this industry. However, doing so is a crucial first step to more effective governance of these markets.

Principles for responsible state approaches

State cyber intrusion principles can reconcile national security objectives with human rights and internet security. They can also help to identify opportunities for high-level agreement outside existing regulatory centres in the US and Europe. I suggest principles in three key areas:

Improve policy coherence

States should align their actions across cyber intrusion markets – as users, investors, defenders, and regulators. For example, not investing in or purchasing tools from commercial cyber intrusion companies under investigation or sanction by other branches of the same state. Similarly, states should avoid conflicting policy or law. For example, criminalising cybersecurity research by failing to provide sufficient exemptions to cybercrime laws for ‘good faith’ investigations, while supporting such research through state cybersecurity strategies or industry standards.

Separate and support markets 

States should separate permissioned markets from unpermissioned markets and adopt policies to stimulate the former. There is precedent for this: after the 2008 financial crash, banks in some countries were forced to administratively separate activities that had previously been tightly connected. 

Separation and stimulation are likely to be more administrative than technological. The extensive overlap between technologies in permissioned and unpermissioned markets means that most successful interventions will be through ‘softer’ policy levers, targeted at both organisations and individuals. Organisationally, companies in permissioned markets could improve controls to prevent the use of their tools for unpermissioned intrusion – for example, by strengthening ‘know-your-customer’ (KYC) policies. Government procurement processes could favour contractors that prevent unpermissioned use.

Focusing on individuals, states could intervene at the educational level, incorporating ethical technology-use principles in school or university curriculums. Further professional recognition, similar to existing ethical hacking certifications, could also have a positive effect. States could also influence the career direction of personnel who leave government service to go into permissioned cyber intrusion markets through financial or more value- and culture-based incentives.

Limit end users and raise standards 

Government transparency in acknowledging unpermissioned cyber intrusions – for military, national security, and law enforcement purposes – is necessary to regulate intrusion capabilities effectively. States cannot usefully discuss constraints on an activity they do not admit to conducting. There is of course a tension between transparency and risking discovery or compromise, but states can manage it by removing operational detail from their acknowledgements.

At the same time, engaging commercial actors to independently conduct unpermissioned cyber intrusion on states’ behalf could incentivise commercial actors to conduct massive and disproportionate intrusions to satisfy their clients, increasing the likelihood of abuse. As such, states should look to place commercial actors as far from the front line of cyber operations as possible. This includes other non-state actors, such as hacktivist organisations or unstructured ‘IT armies’.

Finally, integrating good practices of unpermissioned intrusion with wider efforts to improve anti-corruption, security governance, and rule of law would have prevented many of the high-profile cases of misuse and abuse seen to date. For example, integrating the OECD principles for government access to data into domestic policies would ensure cyber intrusions have a sound legal basis, legitimate aims, appropriate approval and handling, transparency, oversight, and redress. Adopting UN norms of responsible state behaviour in cyberspace as minimum standards would also help reduce misuse. 

What next?  

Some industry observers predict a schism. On one side, a highly regulated, predominantly Western market with potentially lower profit margins, but with internal trust and transparency mechanisms. On the other side, a broader global market with higher profit margins and far less – or no – regulation. Principles can help to identify areas of common interest and agreement between these two markets. Whatever action states take, they must be sensitive to the nuanced market dynamics of this field and keenly aware of the urgent need to prevent misuse and abuse of cyber intrusion capabilities.

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.